Техническая информация
Вредоносные функции:
Выполняет код следующих детектируемых угроз:
- Android.Spy.1498.origin
Сетевая активность:
Подключается к:
- UDP(???) and####.a####.go####.com:443
- UDP(???) rr8---s####.g####.com:443
- TCP(???) ms####.m.u####.com:443
- TCP(???) cyl####.dot.xinhuaz####.com:443
- TCP(???) h.t####.qq.com:443
- UDP(???) rr3---s####.g####.com:443
- UDP(???) rr6---s####.g####.com:443
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) wx.q####.cn:80
- TCP(HTTP/1.1) u.j####.com:80
- TCP(TLS/1.0) firebas####.google####.com:443
- TCP(TLS/1.0) p####.google####.com:443
- TCP(TLS/1.0) ccs.u####.com.####.com:443
- TCP(TLS/1.0) new-####.u####.com:443
- TCP(TLS/1.0) os2####.u####.com:443
- TCP(TLS/1.0) rr3---s####.g####.com:443
- TCP(TLS/1.0) u.j####.com:443
- TCP(TLS/1.0) www.j####.com:443
- TCP(TLS/1.0) and####.a####.go####.com:443
- TCP(TLS/1.0) y####.p####.info:443
- TCP(TLS/1.0) cgi.con####.qq.com:443
- TCP(TLS/1.0) web.sdk.qc####.####.com:443
- TCP(TLS/1.0) www.google####.com:443
- TCP(TLS/1.0) android####.go####.com:443
- TCP(TLS/1.0) popunif####.cn-zhan####.aliy####.com:443
- TCP(TLS/1.0) p.wts.xi####.cn:443
- TCP(TLS/1.0) a####.u####.com.####.com:443
- TCP(TLS/1.0) dualsta####.wagbr####.ali####.####.com:443
- TCP(TLS/1.0) 1####.251.38.99:443
- TCP(TLS/1.0) f####.gst####.com:443
- TCP(TLS/1.0) errne####.u####.com.####.com:443
- TCP(TLS/1.0) ctyun-c####.j####.com:443
- TCP(TLS/1.2) 1####.194.222.95:443
- TCP(TLS/1.2) 1####.250.150.106:443
- TCP(TLS/1.2) 2####.85.233.95:443
- TCP(TLS/1.2) 74.1####.205.138:443
- TCP(TLS/1.2) 1####.251.38.99:443
- TCP(TLS/1.2) 1####.177.14.94:443
- TCP(TLS/1.2) p####.google####.com:443
- TCP(TLS/1.2) firebas####.google####.com:443
Запросы DNS:
- a####.u####.com.####.com
- alog-de####.u####.com
- and####.a####.go####.com
- and####.google####.com
- android####.go####.com
- app.j####.com
- ccs.u####.com.####.com
- cgi.con####.qq.com
- cn####.u####.com
- ctyun-c####.j####.com
- cyl####.dot.xinhuaz####.com
- devicei####.google####.com
- dualsta####.wagbr####.ali####.####.com
- errne####.u####.com.####.com
- f####.gst####.com
- firebas####.google####.com
- h.t####.qq.com
- ms####.m.u####.com
- new-####.u####.com
- os2####.u####.com
- p####.google####.com
- p.wts.xi####.cn
- pla####.google####.com
- popunif####.cn-zhan####.aliy####.com
- rr3---s####.g####.com
- rr6---s####.g####.com
- rr8---s####.g####.com
- u.j####.com
- web.sdk.qc####.####.com
- www.google####.com
- www.j####.com
- wx.q####.cn
- y####.p####.info
Запросы HTTP GET:
- cgi.con####.qq.com:443/qqconnectopen/openapi/policy_conf?status_version=...
- ctyun-c####.j####.com:443/upload/2021-01-06/112656_9a57c917cb0f99ad8f0a0...
- ctyun-c####.j####.com:443/upload/2023-04-17/173425_6ea97d9148bf43c28ebf7...
- ctyun-c####.j####.com:443/upload/2023-09-21/154040_08a24be2b3f5939c51516...
- ctyun-c####.j####.com:443/upload/2023-09-21/154045_7ae3cac9abd23ae8ee866...
- ctyun-c####.j####.com:443/upload/2023-10-11/111633_903603ebbe385dc4a6449...
- ctyun-c####.j####.com:443/upload/2024-11-06/161459_2c4685073e3d2167b86ec...
- ctyun-c####.j####.com:443/upload/2025-10-24/221740_409d0ed62861a15a7baa3...
- ctyun-c####.j####.com:443/upload/2025-12-17/100655_c32bb4349c930cb4d8b09...
- ctyun-c####.j####.com:443/upload/2026-03-02/161030_40cc55f9d6638c0542e96...
- ctyun-c####.j####.com:443/upload/2026-04-10/100032_ce716489c07de429740c3...
- ctyun-c####.j####.com:443/upload/2026-04-10/112747_2763601ad0fa166a0e9d3...
- ctyun-c####.j####.com:443/upload/2026-04-10/144501_fb66ae708b4c6ec9bacb2...
- ctyun-c####.j####.com:443/upload/2026-04-10/145039_e5b382f08ae840a7a3e64...
- ctyun-c####.j####.com:443/upload/2026-04-12/075027_095402faba8d6395df0aa...
- ctyun-c####.j####.com:443/upload/image/2026/03/10/171525_1b8371a214e1993...
- ctyun-c####.j####.com:443/upload/image/2026/03/17/144555_ad9dd714237fdb2...
- u.j####.com:443/Public/img/1.png
- u.j####.com:443/check/index/id/1/type/1/name/
- www.j####.com:443/api/problem/authorProblem/?p=####&user_id=####
- www.j####.com:443/api/problem/defaultProblem/?p=####
- www.j####.com:443/api/problem/subProblem/?p=####
- www.j####.com:443/upload/2025-07-25/150300_8cc4009a148daaa614434754cdc6c...
- www.j####.com:443/v2/base-info
- www.j####.com:443/v2/channel/10?p=####
- www.j####.com:443/v2/news/subject/205380.html
- www.j####.com:443/v2/news/subject/205380.html?p=####
- www.j####.com:443/v2/news/subject/290544.html?p=####
- www.j####.com:443/v2/politics/main?p=####
- www.j####.com:443/v2/politics/types
- wx.q####.cn/mmopen/vi_32/3kltMELicfBHCYpXP0FE3fDxE3mDYziaF3CQROVF6IWialp...
- wx.q####.cn/mmopen/vi_32/PiajxSqBRaEK6u4IhJmMkiaftIBVJQLSgcmThNt1Z0APhfT...
- y####.p####.info:443/resolve
Запросы HTTP POST:
- a####.u####.com.####.com:443/v3/a/audid/req
- ccs.u####.com.####.com:443/ra
- dualsta####.wagbr####.ali####.####.com:443/v2/inn/fetch
- errne####.u####.com.####.com:443/apm_cc
- new-####.u####.com:443/anti/postZdata
- os2####.u####.com:443/umpx_push_launch
- os2####.u####.com:443/umpx_push_register
- os2####.u####.com:443/umpx_share
- os2####.u####.com:443/unify_logs
- os2####.u####.com:443/zcfg
- popunif####.cn-zhan####.aliy####.com:443/
- y####.p####.info:443/anti_logs
Изменения в файловой системе:
Создает следующие файлы:
- /data/app/####/config.en
- /data/app/####/config.x86_64
- /data/data/####/.dmpvedpogjhejs.cfg
- /data/data/####/.fsgkea
- /data/data/####/.imprint
- /data/data/####/.jg.ac
- /data/data/####/.jg.ri
- /data/data/####/.jg.store.report_cf
- /data/data/####/.jg.store.report_pid
- /data/data/####/.pisw02fl
- /data/data/####/04e6f430f91ea70fd3a18ed9dfbd6fb6822c7fe5ad226f6....0.tmp
- /data/data/####/04e6f430f91ea70fd3a18ed9dfbd6fb6822c7fe5ad226f6...2c4d.0
- /data/data/####/06e352e283f79d8730044cf81c1139d7453eb7c29f97525...bb5b.0
- /data/data/####/0b91281fc9c88e4684985fd45feaf3751bea3512de3be6a....0.tmp
- /data/data/####/10d82dd3e95067a72b44c039db5e0e1d5ecb8d2206cf7cf....0.tmp
- /data/data/####/119ca29271f79428888bb06836406e5980cf5ff5a42a8d9...ec31.0
- /data/data/####/1f28c5a54467d7c19a7c8345a393c562918ebda990a3855....0.tmp
- /data/data/####/1f28c5a54467d7c19a7c8345a393c562918ebda990a3855...3c9e.0
- /data/data/####/246b60c211b999b6_0
- /data/data/####/28d58337ba43bed0901fe84a1326383e9ecc4a8da87edac....0.tmp
- /data/data/####/28d58337ba43bed0901fe84a1326383e9ecc4a8da87edac...167b.0
- /data/data/####/2fc8a7b497ca41a582044e409e3d80e5b69a5f93a3daffc....0.tmp
- /data/data/####/2fc8a7b497ca41a582044e409e3d80e5b69a5f93a3daffc...f27a.0
- /data/data/####/40f400beec2af1578167f823624f219497850cebdbb17d0....0.tmp
- /data/data/####/40f400beec2af1578167f823624f219497850cebdbb17d0...cf78.0
- /data/data/####/48dcd631b9e8869926f542cf9e34957d3846c2f162a1f12...f192.0
- /data/data/####/5437b099e23af920fbe0b9d04d344ed6483ed968eb4c0a0....0.tmp
- /data/data/####/5437b099e23af920fbe0b9d04d344ed6483ed968eb4c0a0...b286.0
- /data/data/####/5e5ee44f84332d6f8d070132ce5cc97c21bca0d8a464e93....0.tmp
- /data/data/####/5e5ee44f84332d6f8d070132ce5cc97c21bca0d8a464e93...0a25.0
- /data/data/####/6169c73f9695cf32_0
- /data/data/####/629edaef56dd133a368bbbe4024e0b9f2397b9785805ea6....0.tmp
- /data/data/####/728b7c2c5e53a6f5efef09075c44577aadebff6df964782....0.tmp
- /data/data/####/75df95723f36aa203c6e8138278d0aba8cc92bc11cf87fb....0.tmp
- /data/data/####/76657dc49212f5b973813f9632cdc17decdaa476129e078....0.tmp
- /data/data/####/76657dc49212f5b973813f9632cdc17decdaa476129e078...9971.0
- /data/data/####/883c1c925864d28c3b6415d63d1c9befa85c74c11f6888d...e92b.0
- /data/data/####/8a42916464bdc8466632c1ebacfd031a8ae72d736d61dd1....0.tmp
- /data/data/####/8a42916464bdc8466632c1ebacfd031a8ae72d736d61dd1...3749.0
- /data/data/####/8c41874c18e4c5ece612a5b750af6dc5a85e1b66ef14cb1....0.tmp
- /data/data/####/ACCS_BINDdefault.xml
- /data/data/####/ACCS_SDK.xml
- /data/data/####/ACCS_SDK_CHANNEL.xml
- /data/data/####/AGOO_BIND.xml
- /data/data/####/AUTH_APP_INFO.xml
- /data/data/####/AUTH_DEVICEINFO.xml
- /data/data/####/Agoo_AppStore.xml
- /data/data/####/Agoo_AppStore.xml.bak
- /data/data/####/Alvin2.xml
- /data/data/####/BaseDataConfig.xml
- /data/data/####/BuglySdkInfos.xml
- /data/data/####/ContextData.xml
- /data/data/####/Cookies-journal
- /data/data/####/KEYSTORE_SETTING.xml
- /data/data/####/KEYSTORE_SETTING.xml.bak
- /data/data/####/MessageStore.db-journal
- /data/data/####/MsgLogStore.db-journal
- /data/data/####/UM_PROBE_DATA.xml
- /data/data/####/WebViewChromiumPrefs.xml
- /data/data/####/Y29uZmlnXzU0Y2YxNzA1ZmQ5OGM1OTJjZjAwMDZjNg.sp
- /data/data/####/Y29uZmlnXzU0Y2YxNzA1ZmQ5OGM1OTJjZjAwMDZjNg.sp.bak
- /data/data/####/_tmp_PRIORITIZED_5594_1775972533597
- /data/data/####/_tmp_PRIORITIZED_5594_1775972536406
- /data/data/####/_tmp_PRIORITIZED_5594_1775972539222
- /data/data/####/_tmp_PRIORITIZED_5594_1775972547838
- /data/data/####/_tmp_PRIORITIZED_5594_1775972547850
- /data/data/####/_tmp_PRIORITIZED_5594_1775972552348
- /data/data/####/_tmp_PRIORITIZED_5594_1775972556155
- /data/data/####/accs.db-journal
- /data/data/####/aee2db71bb9d79e3ffa9f2c5b36e48f18b52052d0d39f91...f817.0
- /data/data/####/b50ce343fb0adffe5561d06acf2a450110dbee9a28f2da9...49c4.0
- /data/data/####/b9198e7e9722edcad090c6dc4595104fe942c99f6a39a65...69b5.0
- /data/data/####/ba0da95941772187f986299aa784b0b7cf0c108d966de73...0f43.0
- /data/data/####/base64.xml
- /data/data/####/bbb59b083527a36e866a3a2745e63e1dfe28a94e940c14a...b9af.0
- /data/data/####/bca9ec4e609bbcac60188e99f8ee5aeb64b81a9f12764bc....0.tmp
- /data/data/####/bca9ec4e609bbcac60188e99f8ee5aeb64b81a9f12764bc...3bdc.0
- /data/data/####/bullet_PRIORITIZED_5594_1775972536406
- /data/data/####/bullet_PRIORITIZED_5594_1775972539222
- /data/data/####/bullet_PRIORITIZED_5594_1775972547838
- /data/data/####/bullet_PRIORITIZED_5594_1775972547850
- /data/data/####/bullet_PRIORITIZED_5594_1775972552326
- /data/data/####/bullet_PRIORITIZED_5594_1775972556155
- /data/data/####/bullet_PRIORITIZED_5594_1775972556155_2
- /data/data/####/c10f980cf002ec8ce65e6a8476e3a478e7d9fa39d352dbc...1dd3.0
- /data/data/####/c330d3cc452503895546c840b6002f52330ced384ab26c9....0.tmp
- /data/data/####/c330d3cc452503895546c840b6002f52330ced384ab26c9...91db.0
- /data/data/####/ccg_sp_config_file.xml
- /data/data/####/classes.dex
- /data/data/####/classes.dex;classes2.dex
- /data/data/####/classes.dex;classes3.dex
- /data/data/####/classes.dex;classes4.dex
- /data/data/####/classes.dex;classes5.dex
- /data/data/####/classes.dex;classes6.dex
- /data/data/####/classes.oat
- /data/data/####/com.tencent.open.config.json.1104199947
- /data/data/####/com.vivo.push_preferences.xml
- /data/data/####/com.zsjj.activity_preferences.xml
- /data/data/####/com.zsjj.activity_tbs_public_settings.xml
- /data/data/####/com.zsjj.activity_unimp0_tbs_public_settings.xml
- /data/data/####/crash_dump.log
- /data/data/####/d8f3dc465f74eb30009e711be0554717ec29c031912ef57....0.tmp
- /data/data/####/delayed_transmission_flag_new.xml
- /data/data/####/dso_deps
- /data/data/####/dso_lock
- /data/data/####/dso_manifest
- /data/data/####/dso_state
- /data/data/####/e12c23fa1a7b18301ef8334a2c2597ae8ddcc4ab40ccdf2...cbf7.0
- /data/data/####/e54b5793b067e72c539d9c3ea7d1a0b46ef9ce1130ea289....0.tmp
- /data/data/####/e54b5793b067e72c539d9c3ea7d1a0b46ef9ce1130ea289...4ad4.0
- /data/data/####/eee1ecda20adbc687724188fb7741668fc4879e682d363f....0.tmp
- /data/data/####/eee1ecda20adbc687724188fb7741668fc4879e682d363f...831f.0
- /data/data/####/efs_launch.xml
- /data/data/####/efsid5594
- /data/data/####/exchangeIdentity.json
- /data/data/####/exid.dat
- /data/data/####/f300f929f7732154a6c8ce85e7df6a9ad2769e65fd52f2b...4df2.0
- /data/data/####/f3203837699a58b14ad042a20a7440f4b05370db8c171c7....0.tmp
- /data/data/####/f3203837699a58b14ad042a20a7440f4b05370db8c171c7...d919.0
- /data/data/####/f9cad445d2ba28feb3ab9b18680680e90ce0739f5b74655....0.tmp
- /data/data/####/f9cad445d2ba28feb3ab9b18680680e90ce0739f5b74655...e815.0
- /data/data/####/fee5a2e679fbcdc5ef4df7d96a61ab1e6db9b40b44233ad...893a.0
- /data/data/####/i==1.2.0&&5.9.16_1775972540403_dW5pZnlfbG9ncw==;.log
- /data/data/####/index
- /data/data/####/itconfig.sp
- /data/data/####/itconfig.sp.bak
- /data/data/####/jgobfppppp (deleted)
- /data/data/####/journal
- /data/data/####/jsserver_start.log
- /data/data/####/libTRAECodec.so
- /data/data/####/libalicomphonenumberauthsdk_core.so
- /data/data/####/libbreakpad-core.so
- /data/data/####/libc++_shared.so
- /data/data/####/libcrashsdk.so
- /data/data/####/libdcblur.so
- /data/data/####/libenc.so
- /data/data/####/libfreetype.so
- /data/data/####/libgcanvas.so
- /data/data/####/libgifimage.so
- /data/data/####/libimage_processing_util_jni.so
- /data/data/####/libimagepipeline.so
- /data/data/####/libjiagu.so
- /data/data/####/liblamemp3.so
- /data/data/####/libliteavsdk.so
- /data/data/####/libnative-filters.so
- /data/data/####/libnative-imagetranscoder.so
- /data/data/####/libpl_droidsonroids_gif.so
- /data/data/####/libpns-2.14.12-LogOnlineStandardCuumRelease_ali...lus.so
- /data/data/####/libsaturn.so
- /data/data/####/libsecsdk.so
- /data/data/####/libstatic-webp.so
- /data/data/####/libstlport_shared.so
- /data/data/####/libtnet-3.1.14.so
- /data/data/####/libtraeimp-rtmp.so
- /data/data/####/libtxffmpeg.so
- /data/data/####/libucrash-core.so
- /data/data/####/libucrash.so
- /data/data/####/libumeng-spy.so
- /data/data/####/libumonitor.so
- /data/data/####/libweexcore.so
- /data/data/####/libweexjsb.so
- /data/data/####/libweexjss.so
- /data/data/####/libweexjst.so
- /data/data/####/libyuv.so
- /data/data/####/message_accs_db
- /data/data/####/message_accs_db-journal
- /data/data/####/metrics_guid
- /data/data/####/monitor.db
- /data/data/####/monitor.db-journal
- /data/data/####/ncc_sp_config_file.xml
- /data/data/####/p==6.7.6&&5.9.16_1775972538135_dW1weF9wdXNoX3Jl...y;.log
- /data/data/####/p==6.7.6&&5.9.16_1775972548030_dW1weF9wdXNoX2xh...=;.log
- /data/data/####/paconfig.sp
- /data/data/####/paconfig.sp.bak
- /data/data/####/pdr.xml
- /data/data/####/pdr.xml.bak
- /data/data/####/proc_auxv
- /data/data/####/s==7.3.7&&5.9.16_1775972536894_dW1weF9zaGFyZQ==;.log
- /data/data/####/sendlock
- /data/data/####/share.db-journal
- /data/data/####/ssoconfigs.xml
- /data/data/####/t==9.9.1&&5.9.16_1775972537855_dW5pZnlfbG9ncw==;.log
- /data/data/####/tbs_download_config.xml
- /data/data/####/tbs_preloadx5_check_cfg_file.xml
- /data/data/####/tbs_pv_config
- /data/data/####/tbslock.txt
- /data/data/####/the-real-index
- /data/data/####/ua.db
- /data/data/####/ua.db-journal
- /data/data/####/um_crash_cfg.xml
- /data/data/####/um_policy_grant.xml
- /data/data/####/um_push_union.xml
- /data/data/####/um_push_ut.xml
- /data/data/####/um_session_id.xml
- /data/data/####/um_social_azx.xml
- /data/data/####/um_umcrash.xml
- /data/data/####/umeng_common_config.xml
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_it.cache
- /data/data/####/umeng_policy_result_flag
- /data/data/####/umeng_push.xml
- /data/data/####/umeng_push.xml.bak
- /data/data/####/umeng_socialize.xml
- /data/data/####/umeng_sp_oaid.xml
- /data/data/####/umeng_zcfg_flag
- /data/data/####/umeng_zero_cache.db
- /data/data/####/umeng_zero_cache.db-journal
- /data/data/####/umzid_general_config.xml
- /data/data/####/unimp0_umeng_common_config.xml
- /data/data/####/unique
- /data/data/####/uyumao_info.xml
- /data/data/####/ver
- /data/data/####/weex_default_settings.xml
- /data/data/####/xUtils.db
- /data/data/####/xUtils.db-journal
- /data/data/####/xUtils.db-journal (deleted)
- /data/data/####/xUtils.db-shm
- /data/data/####/xUtils.db-shm (deleted)
- /data/data/####/xUtils.db-wal
- /data/data/####/xUtils.db-wal (deleted)
- /data/data/####/xUtils_http_cache.db
- /data/data/####/xUtils_http_cache.db-journal
- /data/data/####/xUtils_http_cache.db-journal (deleted)
- /data/data/####/xUtils_http_cookie.db
- /data/data/####/xUtils_http_cookie.db-journal
- /data/data/####/xUtils_http_cookie.db-journal (deleted)
- /data/data/####/xUtils_http_cookie.db-shm
- /data/data/####/xUtils_http_cookie.db-shm (deleted)
- /data/data/####/xUtils_http_cookie.db-wal
- /data/data/####/xUtils_http_cookie.db-wal (deleted)
- /data/data/####/z==1.2.0&&5.9.16_1775972533497_emNmZw==;.log
- /data/data/####/zy_unique_id.bin
- /data/data/####/zyanalytics.xml
- /data/data/####/zyanalytics.xml.bak
- /data/media/####/tbslog.txt
- /data/misc/####/primary.prof
- /data/user_de/####/move_to_de_records.xml
Другие:
Запускает следующие shell-скрипты:
- <Package>:jse 103 104 1 /data/user/0/<Package>/app_crash/crash_dump.log
- getprop ro.product.brand
- getprop ro.product.cpu.abi
- getprop ro.product.model
- getprop ro.system.build.id
- ls -l /system/bin/su
- ls /
- ls /sys/class/thermal
- sh -c type su
Загружает динамические библиотеки:
- libbreakpad-core
- libc++_shared
- libjiagu
- libpns-2.14.12-LogOnlineStandardCuumRelease_alijtca_plus
- libtnet-3.1.14
- libucrash
- libumeng-spy
- libweexcore
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
- AES-ECB-PKCS5Padding
- RC4
- RSA-ECB-PKCS1Padding
Использует следующие алгоритмы для расшифровки данных:
- AES-CBC-PKCS7Padding
- DESede-CBC-NoPadding
Использует специальную библиотеку для скрытия исполняемого байт-кода.
Получает информацию о сети.
Получает информацию о телефоне (номер, IMEI и т. д.).
Отрисовывает собственные окна поверх других приложений.
